I'm trying to set up a client machine so that only kinit traffic works. So far, my rules look like
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i eth0 -s 192.168.1.130 -p tcp -m tcp --sport kerberos -j ACCEPT
-A INPUT -i eth0 -s 192.168.1.130 -p udp -m udp --sport kerberos -j ACCEPT
-A OUTPUT -i eth0 -d 192.168.1.130 -p tcp -m tcp --dport kerberos -j ACCEPT
-A OUTPUT -i eth0 -d 192.168.1.130 -p udp -m udp --dport kerberos -j ACCEPT
With this as-is, when I run "kinit remuser", I keep getting the error
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials
If I run
iptables -P INPUT ACCEPT
then "kinit remuser" works as expected. And after that first success, if I run
iptables -P INPUT DROP
it still keeps working.
I've tried using wireshark to see what I'm initially disallowing. It seems arp related, but I can't consistently see that... and I thought iptables wasn't supposed to mess with arp. I'm not seeing anything missing with "arp -n" or "ip -s neigh".
I've got the client and server configured correctly enough to work, but I'm still too new to this stuff to know what other ports I need to allow to get this working. If anyone can give me some tips I'd appreciate it.
UPDATE
Although my adapter claimed to be in promiscuous mode, it wasn't. I ended up running wireshark on the server, and saw no other port numbers needed. To verify that, I updated the rules to include
-A INPUT -s 192.168.1.130 -j ACCEPT
and as the successful kinit wireshark capture suggested, it didn't help. It's only when I open up all INPUTs that it works.
Thanks.
Hector
Kerberos is generally udp by default. I'm not that familiar with IP tables, but while port number on the server is defined the port number on the client is entirely random. So any ip based filter has to allow incoming udp packets with arbitrary client port numbers.
Similarly on the outgoing side, you need to be able to send packets with arbitrary udp ports on the client side. For kinit you only need the kerberos port, but changing passwords, etc, you will also need the kadmin ports.
Having said all that and making my best guess at what the ip tables rules mean, I think that's what you've implemented. However, you also need access to DNS srv records or a working krb5.conf.
http://wiki.unixh4cks.com/index.php/Using_DNS_SRV_records_to_find_Kerberos_realm_servers
It may be that kinit starts working when you allow incoming DNS record lookups. This would also explain why it continues to work after the first connection as it likely the DNS record is cached on the system. Is the server listed in your krb5.conf in your /etc/hosts file? If not that would explain the behaviour.
Thinking about this a bit more, what exactly do you expect to do with this ticket after you get it? The whole point of kerberos is to implement security on an open network by securing the endpoints, not by implementing firewalls.
I got it. And perhaps this only applies to me or anyone else using a HW VPN. An ICMP type 3 packet needed to be received from the gateway for the krb5 transaction to continue. My co-workers who are testing something similar on a work network aren't seeing this issue, so we'll need to figure out what's special in my case and whether it applies to other things.
The hardest part of all this was finding a wired adapter that truly supports promiscuous mode.
Related
I run a working Wireguard server with 2 Wireguard Gateways for Site-to-Site VPN and a couple of Mobile Devices with a Full Tunnel that are used occasionally. One of my Site Gateways is a RaspberryPi4 that I want to provide a WIFI-Access-Point that directly tunnels to the Wireguard Server. This RaspberryPi has working access to all connected subnets via the main Server, so Wireguard is setup properly.
I want to use my Raspi4 to roam the world and provide me a WIFI-Access-Point while any device that connects to it is directly routed into Wireguard and emerges to the web only from there. I used the standard gateway setup provided and my WIFI device can access the web but doesn't tunnel through Wireguard (yet).
I can't really find where I can configure where the access point is bound to, dnsmasq, apdconf or a simply iptables rule?
Example IPs
Server: 10.0.7.1, local network 192.168.0.1/24
Raspi4: 10.0.7.5, local network 192.168.6.5/24, WIFI 192.168.7.5/24
So far I haven't succeeded, ideas?
Got it to work, took a few steps.
First I changed the Wireguard-tunnel on the RP4 to be a full tunnel, it was previously a split-tunnel, only routing the IPs of the other local LANs into the wg0 interface.
Working Full Tunnel:
AllowedIPs = 0.0.0.0/0
Not working Split-Tunnel:
AllowedIPs = 10.0.7.0/24, 192.168.0.0/24
Trying with a Split-Tunnel was stupid to begin with. Only the local IPs mapped in wireguard were fed into the tunnel, public IPs emerged directly on the RP4 network. The tunnel was working as configured but simply not as I wanted to.
Second, iptables was the solution, everything else was already setup properly. I had to add
iptables -A FORWARD -i wlan0 -o wg0 -j ACCEPT
iptables -A FORWARD -i wg0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
Without those rules, I would only be able to connect to the WIFI but had no internet connection
The rest of the setup is pretty much the same as in this tutorial
I am using mongodb with two servers physically located in respectively Italy and France.
The France server runs Ubuntu server is the Primary of the replica set, and works fine, i.e it accepts connections from mongo shell whether locally or remotely and is continuously updated by a python client.
The second server in Italy works fine standalone with CentOS, but get stuck to STARTUP status when starting as part of the replica set. The log indicates that it received the configuration from the primary.
I tried a several things to fix the issue but none of them works:
Try to use keyfile (or not) between members of the replica set.
Check the Firewall is open on both sides with nmap
Add iptables rules to assert the mongodb port accept in/out traffic.
Check mongod is up and listening on all IP on both sides.
Configure (or not) the same admin user on secondary before restarting with --replSet. This step can only be done when secondary is standalone, since started as member of the replica set, it is stuck in transient state and thus it does not accept user creation. Hence it follows that login to the secondary fails.
Also both members (France:primary and Italy:secondary) are started with --auth, --replSet rs0, --keyFile.
I researched the issue on the web before, and found the closest answer here:
MonogoDB Replica Set Status Not changing from Startup to Secondary
But the author mention that the secondary did not received the configuration which makes the issue different than this one.
Thanks for your help.
Ran into a similar issue. Are you running iptables or nftables?
For me, accepting inbound packets from 127.0.0.0/8 to port 27017 and outbound packets to 127.0.0.0/8 port 27017 did the job.
Here are the rules I added using nft, but they are specific to my nftables setup so they might not work as-is for you.
nft add rule inet filter input ip saddr 127.0.0.0/8 tcp dport 27017 accept
nft add rule inet filter output ip daddr 127.0.0.0/8 tcp dport 27017 accept
And here is the equivalent for iptables.
iptables -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 27017 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.0/8 -p tcp -m tcp --dport 27017 -j ACCEPT
I had the same issue and what solved it for me was making sure the name of each member was using the IP address rather than hostname. I change the members already in the replica set to use IP address by just re-configuring with
conf=rs.conf()
conf.members[0].host="XX.XX.XX.XX:27017"
conf.members[1].host="XX.XX.XX.XX:27017"
conf.members[2].host="XX.XX.XX.XX:27017"
rs.reconfig(conf, {force: true})
and then I added my new member by IP address
rs.add("XX.XX.XX.XX:27017")
and it worked.
What I want to do is setup two web servers. One will simply deliver normal content to people that request it and one will put minimal strain on the system and strictly deliver an access denied type of message for hackers.
I looked at http://www.cyberciti.biz/faq/linux-port-redirection-with-iptables/ for ideas on how to create this redirection based on a bad IP address and its suggesting:
iptables -t nat -A PREROUTING --src <source address> -p tcp --dport <new server port number> -j REDIRECT --to-port <new server port number>
I then tested that theory by trying the following on a computer without internet but with apache server running on port 80 and nothing on port 81:
iptables -t nat -A PREROUTING --src 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to-port 81
I then typed in 127.0.0.1 in my web browser and received the same apache response as usual. Instead, I expected a browser message that it could not connect to the remote server.
How to I adjust the iptables command to make computers from listed IP in --src redirect from 127.0.0.1 port 80 to 127.0.0.1 port 81?
I understand I can use apache or php and even apache modules and all that for the redirection but I'm trying to use the least system-intensive approach and I want hackers to have the least amount of system resources available to them so that real visitors can enjoy a quality website, however
I want them to be able to see a message because if a real person gets blocked by accident then at least they can understand what's going on from an error message instead of a connection drop.
Packets on the loopback interface (127.0.0.0/8) don't pass through the NAT tables. Try using an external computer for the test.
I was trying to change the incoming interface of the packet using iptables MARK and ip route commands.
I have tried this approach which suggests the use of iptable Mark and iproute2 utilities instead of ROUTE target, but could not find any success changing the incoming interface of the packet in the receiving path.
I have an application 'A' which binds to an interface intfA in linux i.e the application sends and receives packets only on via intfA.
Sending path
In a tunnel based setup, I was able to send packet's out from intfA to tap0 using the following iptable commands:
iptables -t mangle -A OUTPUT -d 8.9.10.11/32 -j MARK --set-mark 1
ip rule add fwmark 1 priority 9000 table 1
My default routing entry in main table is pointing to intfA
In table '1' I have made the default routing table entry point to tap0:
route add default dev tap0 table 1
I could observe from the kernel dmesg logs that the outgoing interface of the packet changed succesfully from intfA to tap0.
In the return path
After tap0 gets the encrypted packet from tunnel, it decrypts it and injects the plain text packet with destination 'a.b.c.d' into the linux kernel via the tap0 interface.
So at the kernel prerouting hook, I see the packet coming with IP = 'a.b.c.d' and with incoming tap0.
Following iptable rules were used to change the incoming interface:
iptables -t mangle -A PREROUTING -d a.b.c.d/32 -j MARK --set-mark 2
ip rule add fwmark 2 priority 8000 table 2
In table '2' I have made the default routing table entry point to intfA:
route add default dev intfA table 2
I tried to log the packets at the PREROUTING hook and the INPUT hook using the following iptable commands:
iptables -t mangle -A PREROUTING -d a.b.c.d/32 -j LOG --log-level 0 --log-prefix "VPN PREOUTING: "
iptables -t mangle -A INPUT -d a.b.c.d/32 -j LOG --log-level 0 --log-prefix "VPN INPUT: "
I was hoping the incoming interface of the packet to be changed from tap0 to intfA between the PREROUTING hook and INPUT hook. But suprisingly the interface doesn't change in both the kernel log trace. I could see the incoming packets marked with mark 2 as well.
From the dmesg log's i confirmed that the Incoming interface still remains as tap0 after the INPUT hook.
I wanted to understand the reason behind this behaviour for the iptables commands I have used. Not sure if I missed anything in iptables commands I used which is causing this issue.
I have the same problem. As a temporary solution I've found that -j TEE target helps:
iptables -t mangle -A PREROUTING [options] -j TEE --gateway IP
In your case, fill [options] and the gateway's IP (intfA address) with your values.
Today a started apache on CentOS and I'm able to open the test page on same machine as localhost. But I'm unable to open it using another computer. The CentOS server is on a VLAN (using switch) behind a router. I'm able to ping the server from other side using my laptop. But I'm not able to open the test page in my browser. I have another server in same VLAN which I'm able to access from my laptop.
Also here is some entries of iptables -L
Chain INPUT
ACCEPT tcp -- anywhere anywhere tcp:dtp:http
ACCEPT udp -- anywhere anywhere udp:dtp:http
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I'm not sure what else I need to check.
Security theory tells to first drop the firewall and test (iptables -F). If you can access then it is really a iptables issue, if you are still unable to reach your service, try looking if you got any specific bind: netstat -an | grep "LISTEN " if you see something like:
"tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN "
means that your server is only listening on localhost ip, you should check on specific httpd binds on /etc/httpd/conf/httpd.conf
If you require some more help, keep posting =)